On Sep 11, 2013, at 12:38 PM, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote: >> >> I disagree. DNSSEC is not just DNS: its the only available, deployed, and (mostly) accessible global PKI currently in existence which also includes a constrained path of trust which follows already established business relationships. > > Except that virtually nobody uses DNSSEC and most of the registrars don't support it. I strongly disagree: I had an easier time registering my DNSSEC test domain's DS records with the registrar than the nameservers themselves, using an obnoxious company that sponsors a NASCAR driver and has obnoxious TV ads. Comcast and Google Public DNS both validate DNSSEC on all requests. A small minority of clients can't fetch DNSSEC records, but most actually can, either through one of the recursive resolvers or over the Internet. > And then there is that other PKI that is actually used to support a trillion odd dollars worth of global e-commerce per year. Which the NSA is man-in-the-middling with abandon, in due to no-small-part the lack of a constrained path of trust. Google has effectively given up on the TLS PKI for their own use in Chrome: they hardcode the Google sub-CA. -- Nicholas Weaver it is a tale, told by an idiot, nweaver@xxxxxxxxxxxxxxxxx full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail